Serious Invasions of Privacy in the Digital Era

Introduction

Pirate Party Australia would like to thank the Australian Law Reform Commission (ALRC) and the Federal Government for conducting this review and providing an opportunity for stakeholders and other interested organisations such as Pirate Party Australia to submit on such an important issue as privacy invasion. Privacy is a United Nations recognised human right frequently taken for granted, and frequently disregarded. Invasions of privacy have the capacity to damage reputations, mental health, safety, security, and financial well­being.

About Pirate Party Australia

Pirate Party Australia is a political party registered under the Commonwealth Electoral Act 1918 (Cth). The Party was founded in late 2008, and competed in its first Federal Election in 2013. The Party’s main areas of concern are intellectual property rights (predominantly copyright and patents), privacy rights, increased governmental transparency, and opposition to censorship. Pirate Party Australia is a member of a worldwide movement that began in Sweden in 2006, and has since spread to more than 40 different countries. Pirate Parties have been elected to all levels of government — local, state, national and supranational — with more than 40 state seats in Germany, three seats in the Icelandic Parliament, and two Members of the European Parliament.

Questions

Principles guiding reform

Question 1: What guiding principles would best inform the ALRC’s approach to the Inquiry and, in particular, the design of a statutory cause of action for serious invasion of privacy? What values and interests should be balanced with the protection of privacy?

The right to personal privacy is fundamental to the dignity of every individual in society. Breaches in privacy can cause serious personal distress and psychological harm and should be treated seriously by the law.

While the right to privacy is important, a distinction needs to be made between personal activities and activities in the public sphere. The public has an overriding right to know about commercial activities, political activities and any activity where transparency is in the interests of justice. In addition, fundamental protections for freedom of expression need to be taken into account. When balancing this with privacy concerns the question "can the expression occur effectively without relying on a breach of privacy?" must be asked.

There is also a need for law enforcement agencies (LEAs) to investigate illegal activities and an exception needs to be made for investigations of specific and serious illegal activities. When investigations call for a breach of an individual's privacy, Pirate Party Australia believes a warrant must be sought and issued by a competent judicial authority, such as a judge or magistrate. There must be no blanket ability afforded to LEA's to trawl through the private information of individuals as it contravenes basic checks and balances of a free and democratic society.

The impact of a statutory cause of action

Question 2: What specific types of activities should a statutory cause of action for serious invasion of privacy prevent redress? The ALRC is particularly interested in examples of activities that the law may not already adequately prevent or redress.

The causes of action recommended by the VLRC (for the misuse of private information and intrusion upon seclusion) are appropriate ways to provide legal redress for serious invasions of privacy. A non­exhaustive list would act as an aid in determining whether a breach of privacy has occurred. An exhaustive list would be inappropriate, as it risks excluding cases where privacy has been invaded, but not adequately defined by examples, and also fails to keep pace with social and technological changes.

A non­exhaustive list should cover the following:

● The misuse of information where there is a reasonable expectation of privacy, including personal photos, videos and other forms of communication (such as email). It is important to take into account the intended recipients and whether the information was intended to be shared, such as on social media. This should not extend to cover unintentional distribution of private material to a broader audience through a fault of the potential victim. An example would be their failure to correctly understand privacy settings and accidentally post private information in a public manner — the individual owes a duty of care to themselves. ● Intrusion upon seclusion may include situations where the information is obtained through illegal means such as hacking, theft or trespass. There should be the ability to seek civil redress in such cases.

Question 3: What specific types of activities should the ALRC ensure are not unduly restricted by a statutory cause of action for serious invasion of privacy?

Pirate Party Australia believes there are a number of areas that should not be unduly restricted by any serious invasion of privacy legislation.

In situations where activities that occur in public spaces are filmed, photographed or otherwise captured there should be a limited or prohibited cause of action. While privacy invasions can occur in public spaces, cameras have become ubiquitous with most people having one in their mobile phones. The intent of the person filming, taking photos, and so on, needs to be taken into account when judging if privacy has been breached. Merely appearing in the background of a shot should not be grounds for a breach in privacy. Journalists should be given broad exemptions when covering public figures and events. Journalists serve an important role in society by increasing transparency and informing the public. The right for the public to know about the public and professional activities of powerful and influential individuals should override expectations of privacy in most cases, although there should still be protection for personal and private activities of public figures.

In cases where a cause of action is available, the evidentiary burden of a breach of privacy in a public place should be on the plaintiff. There should be a requirement that the plaintiff prove on the balance of probabilities that the defendant's actions in a public environment infringed on their privacy to an unreasonable degree.

Invasion of privacy

Question 4: Should an Act that provides for a cause of action for serious invasion of privacy (the Act) include a list of examples of invasions of privacy that may fall within the cause of action? If so, what should the list include?

Pirate Party Australia believes a list of examples would risk being interpreted too narrowly and fail to encompass the myriad of ways in which privacy could be breached. As technology changes, community expectations of privacy may change with them. Broad examples, such as the VLRC proposals outlined in Question 1, would protect the privacy of individuals in unforeseen circumstances.

Question 5: What, if any, benefit would there be in enacting separate causes of action for: ● misuse of private information; and ● intrusion upon seclusion?

These two types of privacy breach are significantly different in form. Misuse of private information is capable of significantly harming the well­being of the victim through the sharing of personal information, including credit card details and medical records and enabling identity theft. Intrusion upon seclusion has the ability to cause psychological distress through embarrassment and fear for personal safety.

With adequate delineation, it would be appropriate to enact separate causes of action as described. Pirate Party Australia sees them as being sufficiently dissimilar to warrant separate causes of action, but acknowledges that there will be instances where the two occur simultaneously (as in the case of stalking, for example). With that said, it is probable with the high degree of information­sharing that occurs (such as between limbs of corporations and between government departments) that misuse of private information would be the more frequent cause of action.

Privacy and the threshold of seriousness Question 6: What should be the test for actionability of a serious invasion of privacy? For example, should an invasion be actionable only where there exists a ‘reasonable expectation of privacy’? What, if any, additional test should there be to establish a serious invasion of privacy?

The basic test of actionability for a serious invasion of privacy should be whether, in the circumstances, the plaintiff had a reasonable expectation of privacy. This should take into account the various subjective elements of the circumstances, such as whether the plaintiff sought reassurance that their privacy would be protected, whether they belonged to a class of person whose privacy a reasonable person would protect, the nature of the interaction and relationship between the parties, and so on. Pirate Party Australia believes this should be a sufficient test for actionability.

Privacy and public interest

Question 7: How should competing public interests be taken into account in a statutory cause of action? For example, should the Act provide that: ● competing public interests must be considered when determining whether there has been a serious invasion of privacy; or ● public interest is a defence to the statutory cause of action?

There are many situations where the public interest should take precedence over the right to privacy, and as such the Act should provide a public interest defence to a cause of action. Pirate Party Australia supports a two­step test modelled on that used in the UK: a requirement for the plaintiff to demonstrate that privacy was reasonably expected, and then for the defendant to demonstrate that exposure of such information is in the public interest (McKennit v Ash [2008] 1 QB 73). This would adequately balance the competing interests in any serious breach of privacy claim.

Question 8: What guidance, if any, should the Act provide on the meaning of ‘public interest’?

Pirate Party Australia believes that 'public interest' should not be narrowly defined in the Act. An explicit definition may exclude activities that are in the public interest. There is precedent set with regard to what 'public interest' is understood to mean at common law, which Pirate Party Australia feels provides appropriate definition. If a statutory definition were required, Pirate Party Australia would advocate a definition along the lines of that offered in London Artists Ltd v Littler [1968] 1 WLR 607: matters that are "such as to affect people at large, so that they may be legitimately interested in, or concerned at, what is going on, or what may happen to them or others." Publication of information that relates to public and private institutions can override confidentiality concerns under existing Australian law (Commonwealth of Australia v John Fairfax & Sons Ltd (1980) 147 CLR 39) and Pirate Party Australia would not object to a statutory provision with similar intent.

Though, as the ALRC notes, the High Court case of Hogan v Hinch (2011) 243 CLR 506 provides sufficient direction for interpreting 'public interest,’ and it may be better to leave this to judicial discretion. As such, the Party has no firm opinion in either direction, but if a statutory definition were to be introduced it would favour a definition similar to that above.

Fault

Question 9: Should the cause of action be confined to intentional or reckless invasions of privacy, or should it also be available for negligent invasions of privacy?

Negligence should be a cause of action in circumstances where data has been exposed due to negligent handling. A duty of care arises when handling personal information, and breach of that duty should be actionable in order to provide a more rounded set of privacy protections. In other circumstances serious invasions of privacy should only be actionable when the invasion is caused intentionally or through recklessness.

Damage

Question 10: Should a statutory cause of action for serious invasion of privacy require proof of damage or be actionable per se?

Any statutory cause of action for a serious invasion of privacy should be actionable. Privacy is a fundamental human right, and any breach of privacy without justification (as outlined above) must risk resultant legal action. A right to redress serious invasions of privacy should be available to deter serious invasions of privacy before they occur.

Question 11: How should damage be defined for the purpose of a statutory cause of action for serious invasion of privacy? Should the definition of damage include emotional distress (not amounting to a recognised psychiatric illness)?

Damage should be defined broadly for a statutory cause of action for a serious invasion of privacy. It should include emotional distress (not amounting to a recognised psychiatric illness). A breach of privacy should in itself be a tort (as in other jurisdictions it has been recognised) and have means of redress regardless of damage inflicted by the breach. As the ALRC is no doubt aware, actual damage — physical or mental — is not required for the trespasses of battery (Cole v Turner (1704) 87 ER 907; Secretary Department of Health and Community Services v JWB and SMB (1992) 175 CLR 218) or assault (Bradey v Schatzel [1911] St R Qd 206). Pirate Party Australia believes privacy should be treated likewise, with remedy for breach of an inviolable right, and not for actual damage.

Personal resilience can have quite a bearing upon the response to serious invasions of privacy. What may be a minor irritant to one person could be personally devastating to another. As such, damages should be awarded for anyone subjected to a serious invasion of privacy. The level of distress of the victim of the privacy invasion should be taken into account to some extent when damages are awarded.

Defences and exemptions Question 12: In any defence to a statutory cause of action that the conduct was authorised or required by law or incidental to the exercise of a lawful right of defence of persons or property, should there be a requirement that the act or conduct was proportionate, or necessary and reasonable?

Employers investigating misconduct by employees must act in a proportionate way to the seriousness of the allegation. Having access to private emails, for example, is an invasion of privacy beyond any proportionate measure. On the other hand, surveilling stock to protect it from theft is a reasonable measure. Pirate Party Australia would be interested in how such a defence would be framed before commenting further.

Question 13: What if any, defences similar to those to defamation should be available for a statutory cause of action for serious invasion of privacy?

Defences to claims of serious invasions of privacy should be substantially similar to those available as defences for defamation as explained in the discussion paper.

Question 14: What, if any, other defences should there be to a statutory cause of action for serious invasion of privacy?

Other defences to the claim of a serious invasion of privacy should include (from the list provided in the discussion paper):

● The information was already in the public domain ● The circumstances justified the conduct as a matter of necessity ● There was a contractual waiver; ● For online material, that the material has been taken down upon notification.

Additionally, where posts have been made on social media, the poster of the initial information must be considered liable for the breach in privacy. While the social media service has a responsibility to remove posts that breach privacy, it must never be considered liable for what a user of the service posts using the service.

Question 15: What, if any, activities or types of activities should be exempt from a statutory cause of action for serious invasion of privacy?

It is necessary that any defence that the conduct was authorised or required by law or incidental to the exercise of a lawful right of defence of persons or property be proportionate, necessary and reasonable. When privacy is invaded due to legal requirements, that privacy is not unduly removed any more than required to carry out the duty. In such cases, the intent of the acting individual should be taken into account in determining if there was a serious invasion of privacy. There are situations where, such as during a fire, privacy would be seriously invaded in the process of attempting to save lives and property. Such an invasion would be deemed necessary due to circumstances. However this would only be proportionate if privacy was invaded in the specific activity required for the duty to be completed. To continue with the example of fighting a fire, using the fire as a pretence to sift through personal belongings would constitute a serious invasion of privacy. Monetary remedies

Question 16: Should the Act provide for any or all of the following for a serious invasion of privacy: ● a maximum award of damages; ● a maximum award of damages for non-economic loss; ● exemplary damages; ● assessment of damages based on a calculation of a notional licence fee; ● an account of profits?

Monetary remedies for serious invasions of privacy must take into account a multiplicity of factors that will require careful consideration. At a minimum, any current or expected loss incurred by the plaintiff, as a result of, or required to re­protect their privacy, plus any profit made by the defendant from the breach of privacy, must be awarded as damages. In addition the Court must take into account whether to increase damages based on whether the action was aggravated and/or whether the damages amounts to a level sufficient to act as a deterrent.

Injunctions

Question 17: What, if any, specific provisions should the Act include as to matters a court must consider when determining whether to grant an injunction to protect an individual from a serious invasion of privacy? For example, should there be a provision requiring particular regard to be given to freedom of expression, as in s 12 of the Human Rights Act 1998 (UK)?

Privacy and freedom of expression are both fundamental human rights which, at times, are in direct tension. Much of the difficulty in drafting serious invasion of privacy laws is balancing these competing interests. Much of the discussion of 'public interest' in Questions 1 and 3 aims to specifically address this issue in the broader outline for the proposed privacy legislation. Any injunction should be subjected to the same balance of interests and as such does not need to be specifically included in any specific injunction clauses as long as an injunction is subject to the same broad tests for an invasion of privacy and freedom of expression is part of the broader laws.

Other remedies

Question 18: Other than monetary remedies and injunctions, what remedies should be available for serious invasion of privacy under a statutory cause of action?

Pirate Party Australia feels that the recommendations in the discussion paper are all necessary tools with which remedies to invasions of privacy may be addressed in addition to damages. The defendant would have to act reasonably, to the best of their ability to remove any copy at their expense. The Party notes, however, that materials published on the Internet may prove difficult to remove as many sites that may host or mirror the information would lie outside of the Court’s jurisdiction.

Who may bring a cause of action

Question 19: Should a statutory cause of action for a serious invasion of privacy of a living person survive for the benefit of the estate? If so, should damages be limited to pecuniary losses suffered by the deceased person?

Claims on behalf of deceased persons may be brought. This needs to be permitted by either the estate of the deceased or the Privacy Commissioner to address serious breaches in privacy.

Question 20: Should the Privacy Commissioner, or some other independent body, be able to bring an action in respect of the serious invasion of privacy of an individual or individuals?

The Privacy Commissioner should have the capacity to bring action for serious invasions of privacy. There may be situations where a breach of privacy requires action and the victim is unable or unaware of the breach, yet the interests of society would be better protected by a prosecution taking place. There should also be provisions allowing for representative hearings, where groups of individuals combine their complaints into one case.

Limitation period

Question 21: What limitation period should apply to a statutory cause of action for a serious invasion of privacy? When should the limitation period start?

Any limitation on claims of a serious breach of privacy must begin when the victim is made aware of the breach of privacy. A similar approach to defamation laws seem reasonable, where the victim has one year to bring charges, which can be extended to three years if there is a legitimate reason the proceedings could not begin earlier.

Location and forum

Question 22: Should a statutory cause of action for serious invasion of privacy be located in Commonwealth legislation? If so, should it be located in the Privacy Act 1988(Cth) or in separate legislation?

A statutory cause of action for serious invasions of privacy should be incorporated into the Privacy Act 1988 (Cth) and further powers be granted to the Privacy Commissioner to deal with the expanded role. Pirate Party Australia believes that the most efficient and practical method of introducing new privacy legislation, particularly given much of it would be in relation to interstate and international privacy matters, is at the federal level. Question 23: Which forums would be appropriate to hear a statutory cause of action for serious invasion of privacy?

Pirate Party Australia believes the Federal Court and Federal Circuit Court would be the appropriate forums to hear a statutory cause of action for serious invasions of privacy, which may extend to state Supreme Courts if necessary.

Question 24: What provision, if any, should be made for voluntary or mandatory alternative dispute resolution of complaints about serious invasion of privacy?

Pirate Party Australia supports voluntary dispute resolution if arbitration is sought by the plaintiff. Arbitration sought by the defendant may be used as a delaying tactic to avoid legal action for the invasion of privacy.

Interaction with existing complaints processes

Question 25: Should a person who has received a determination in response to a complaint relating to an invasion of privacy under existing legislation be permitted to bring or continue a claim based on the statutory cause of action?

A person who has received a determination in response to a complaint must be permitted to bring or continue a claim based on the statutory cause of action. Additionally, the Privacy Commissioner should be granted to power to recommend cases be heard to address serious invasions of privacy.

Other legal remedies to prevent and redress serious invasions of privacy

Question 26: If a stand-alone statutory cause of action for serious invasion of privacy is not enacted, should existing law be supplemented by legislation: ● providing for a cause of action for harassment; ● enabling courts to award compensation for mental or emotional distress in actions for breach of confidence; ● providing for a cause of action for intrusion into the personal activities or private affairs of an individual?

Pirate Party Australia would be in favour of such supplementary legislation.

Question 27: In what other ways might current laws and regulatory frameworks be amended or strengthened to better prevent or redress serious invasions of privacy? Pirate Party Australia declines to answer this question, but is interested in seeing other options that may be submitted.

Question 28. In what other innovative ways may the law prevent serious invasions of privacy in the digital era?

Social media companies may, at times alter their privacy policies, often in confusing and not immediately apparent ways, enabling wider groups of people to access information that was intended to be only accessible by a small group of select friends or followers. The damage caused by such an alteration of privacy provisions may result in, and has indeed resulted in humiliating information becoming widely or universally available. When privacy is invaded due to changes in a company's privacy policy, information held by the company must continue to exist under the privacy policy that the material was originally posted under. Any exposure of private information due to privacy changes must become actionable by the affected individual.